Two-Factor Authentication
Two-factor authentication is a subset of Multi-factor authentication (MFA). The general point of this idea is to confirm a user's claimed identification. This is usually performed by having users provide two pieces of evidence (often referred to as factors) to prove that one is whom one says one is. The "pieces of evidence" are tied into the respected system's authentication mechanism. Often two of these three factors are used or at least offered as options to users to choose from: inherence (something related to the user's personal features and/or bio make-up), knowledge (personal information that only the user would know), and possession (something personal that the user would only have access to). Authentication Factors The purpose of using two-factor authentication is to limit unauthorized access to a system. These types of security measures have been more popular in recent years due to the influx of cyber threats. However, the methods have been around for much longer and became mainstream for businesses since the Computer Fraud and Abuse Act of 1986 along with Title 18, U.S. Code Sec. 1001 and 1030. Inherence Factor This is a factor that tends to be the most secure option, however, can be astronomically expensive to implement and maintain. The user's biometric features are used, such as eye retinal scans, fingerprints technology, and facial recognition. Some modern laptops and smartphones have built-in features as a fingerprint scan and facial recognition. This method is easier to implement for a user attempting to gain access to a facility or piece of hardware, but become rather more involved for logging into an email. This type of authentication factoring usually is not used for simple logins to emails and social media. Nevertheless, out of all the different options for inherence authentication, fingerprint scanning is used more often in companies to secure sensitive areas of their facility. Knowledge Factor This being the more common of authentication option, most people have had experience with this. Users tend to see examples of this when one tries to recover a forgotten password or attempt to log into a system from a new computer. The knowledge part is filled out during the creation of the respected account; this gravitates towards security questions about the user's personal life or a secret pins or passwords. Since human thinking can be very predictable, certain security measures are enforced when making these knowledge factors. For example, pins cannot be related to the user's birthday, passwords cannot have any related words of the users public information (i.e. name, email, etc.) and usually must have at least two or more character types (numbers, letters, specials, etc.), and must be of a certain length. Possession Factor A common practice with business and emails today. The process either involves a piece of hardware such as a phone or token generator, or some sort of recovery email that the user has access to. Commonly, a user will provide the knowledge portion of the authentication method and then the system will ask the user to use their procession factor to validate the system access. Since the early 2010s, this type measure has gained much popularity. The different types of options give users the ability to secure their accounts even if an attacker knows the account password or pin. * Mobile Device: certain businesses such as Google and Yahoo! use this option. When a user's account is trying to be accessed the user will get a text message, alert via an app, or phone call. The notification will prompt users with the instructions to continue onward which usually involve either remotely granting access or the notification will provide a temporary password or pin to be entered. * Token Generator: a small device that is either worn on the person or held in a secured area with a randomly generated password that changed every n minutes. This commonly includes a third party service subscription such as RSA SecurID. * Recovery Email: working much to the same degree as the mobile device option, the user will receive a notification to their recovery email account that will either provide a specified link for users to proceed to the account or remote option to grant access such as a button. Real World Business Implementation & Practices Most people use this method more often than one would think. Any time an ATM is used, the combination of the bank card and the user's pin satisfies the two-factor authentication. The bank's card acting as the possession factor and the pin as the knowledge factor. Besides the normal ATM use, banks and any service that revolves around money transactions have some type of two-factor authentication method required for an account. The modern world sees these security implementations as a necessary one, although many companies failed to require them before their clients' accounts were compromised. In August of 2013, the Yahoo! Data Breach occurred which involved more than three billion of their accounts were exposed with personal data (password, emails, security questions, etc.) about the users were at the fingertips of the hackers. Mid 2016 Yahoo! carried out their Two-Step Verification which utilizes the user's mobile device as a possession factor. Google, ZeniMax, and Microsoft to name a few have a built-in feature to their users' accounts that users are forced to use. After a certain amount of time of a user not using the account or if the user attempts access from a new or unrecognized IP address, the service then requires the user to perform a two-factor authentication to sign-in regardless if the user opted out of similar security measures before. Some companies, such as those in the nuclear power industry require an employee to be submitted to require biometric verification to gain access to certain areas of a facility. Exelon Corp and Southern Company, for example, use fingerprint scans as well as other biological features to gain access to their secured areas. Security Efficiency The process of any type of multi-factor authentication decreases the rate of identity theft significantly, including other types of online fraud. Nevertheless, the weakest factor in any system's security is usually the user. People tend to set passwords to be easily remembered but also easily guessed. Hackers and hacking programs try to brute force their way through if the user sets up an insufficnent authentication scheme. However, these generic types of authentication methods are still very well vulnerable to phishing scheme and man-in-the-middle attacks. Regardless, detailed outline for authentication methods are drafted for US business in the Homeland Security Presidential Directive 12, which regulates certain fields to implement such measure, but always recommends them. Source Page